[buildd-tools-devel] Bug#685512: Bug#685512: schroot: groups set by PAM are not preserved in chroot

Roger Leigh rleigh at codelibre.net
Sun Oct 14 13:08:44 UTC 2012


On Tue, Aug 21, 2012 at 03:39:06PM +0200, SZABO Zsolt wrote:
> If a group was ordered to the user by pam (using "auth optional
> pam_group.so") then this group will not be preserved in the chroot
> only when the user is added explicitly to the corresponding line of
> /etc/group.
> 
> We have a couple of users (students) whose primary group is stud, e.g.
> However, we assign them as well as to other groups (such as fuse, math)
> by pam during logging in. They can run some software in chroot only and if
> only they are the member of a specific group (like math), however, the "-p"
> option of schroot preserves only the env. variables but not pam_groups.

Have you tried adding the appropriate PAM entry to
/etc/pam.d/schroot ?

schroot is using PAM to start a new session when you run schroot, so
what was previously set up at login is lost--it's equivalent to a
new login, inside the chroot.  Adding the same pam_group.so line to
the schroot PAM configuration should cause the appropriate groups
to be added.  However, we call initgroups() by hand after
setuid/setgid, so I'm not entirely certain this would work.

Please could you try the PAM change and let me know?  If we need to
change how we initialise the groups in favour of doing it all with
PAM, I'm certainly happy to do so if that's possible.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.



More information about the Buildd-tools-devel mailing list